INPLP article May 11, 2021

 in Privacy

Fine of €475,000 for reporting data breach 22 days to late.

According to a press release of April 6 the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a €475,000 fine on because the company took too long to report a data breach to the DPA into compliance with Article 33 GDPR.

22 days to late was informed of the data breach on 13 January 2019, but did not report the breach to the DPA until 7 February, which is 22 days too late: data breaches must be reported within 72 hours where feasible. On 4 February 2019 informed the affected customers of the breach. The company also took other measures to limit the damage, such as offering to compensate any losses.

Risk of falling victim to serious theft

The criminals involved obtained the personal data of over 4,000 customers and credit card information of almost 300 people. By persuading hotel staff to reveal the log-in details for their accounts in a system the criminals gained access to the data of 4,109 people who had booked a hotel room. The criminals also tried to get hold of the credit card information of other victims, by posing as staff in emails or on the telephone.

‘ customers ran a risk of falling victim to serious theft’ says DPA deputy chair Monique Verdier, ‘even if the criminals didn’t obtain credit card information but only someone’s name, contact details and booking information. After all, those details could be used by fraudsters for “phishing” expeditions.’

‘By posing in emails or on the phone as hotel staff, they attempted to steal money from people. Such an approach can seem highly credible if the fraudster knows exactly when you made a booking and what room you booked, then asks you to pay for the nights in question. Large amounts of money can be stolen in this way.’

‘This is a serious violation,’ Ms Verdier says. ‘Unfortunately, a data breach can occur anywhere, even if you have good precautionary measures in place. But in order to prevent harm to customers and future attacks, you have to report a breach on time.’

‘Taking rapid action is essential, not least for the victims of the breach. After receiving a report the DPA can order a company to immediately warn those affected. This can prevent criminals having weeks in which to attempt to defraud customers.’

Huge responsibility

According to Ms Verdier, ‘A company of this size, which stores valuable personal data of millions of customers in its systems, has a huge responsibility. Customers are entrusting their personal data to And the company must do everything it can to protect that data properly. That means not only ensuring good security to prevent breaches, but also taking rapid action if the worst should happen.’

International investigation

The investigation into the breach was international in scope. The situation involved an international company with customers from a range of countries.’s global headquarters are in the Netherlands, which is why the Dutch DPA performed the investigation. Since this was an international matter, the DPA coordinated the investigation with other European data protection supervisory authorities.


Data breaches can occur anywhere, even if you have the necessary precautionary measures in place. Nonetheless, it is essential to report a breach in time to prevent (further) harm to customers. This is also important for a DPA to take the necessary actions. Luckily, the number of reported breaches in the Netherlands is 30 % more in 2020 than in 2019. Notifying the DPA is not necessary in case no harm for customers is to be expected. However, for these cases you have to register the data breach in your internal register for accountability purposes.

In general, it is advisable to notify the DPA within 72 hours, even in the situation you are not 100% sure about the severity of the impact of a data breach for customers. Even more so because of organizational issues, as the Dutch DPA does not have nearly enough personal staff to investigate all reported data breaches. Therefore, it is time and cost efficient for the DPA to at least investigate breaches that are reported to late, as low hanging fruit. Lastly, do not hesitate to promptly notify a DPA, as you can always alter or amend your notification at a later stage.

We should not forget that data breaches could happen to the best of us, how good your precautionary measures may be. However, as the breach demonstrates, a timely report of a data breach could prevent serious further economic and reputation damages.

Recente berichten
  • 21 november 2022

    Risicomanagement: voorkom uitval door burn-out

    Marion Hagenaars
    Mirjam Scheper
    Werkend Nederland heeft steeds meer te kampen met burn-out klachten. Dit kan leiden tot (langdurig) ziekteverzuim. Een hoofdpijndossier en kostenpost voor de werkgever. En daarnaast een peperdure levensles voor de werknemer. Uitval door burn-out klachten voorkomen is dan ook beter dan genezen. Maar hoe?
    Lees verder
  • 21 november 2022

    Disfunctioneren: doorgeschoten empowermentbeleid

    Marion Hagenaars
    Mirjam Scheper
    De voorwaarden voor ontslag bij disfunctioneren zijn in de wet duidelijk omschreven. Deze voorwaarden gelden ook als een werkgever een beleid voert dat niet gericht is op dossieropbouw met waarschuwingen en berispingen, maar op aanmoediging.
    Lees verder
  • 21 november 2022

    Monitoring e-mail werknemers: de voorwaarden

    Marion Hagenaars
    Mirjam Scheper
    Onrechtmatig verkregen bewijs door werkgevers brengt belangrijke risico's met zich mee. Dit blijkt ook uit een recente uitspraak van het Hof Arnhem-Leeuwarden. Wat zijn de voorwaarden voor vrije toegang tot de e-mailbox van een werknemer?
    Lees verder

Plaats een reactie